1. Field of the Invention
The present invention relates to an apparatus and method for preventing an anomaly of an application program, and more particularly, to an apparatus and method for preventing an anomaly of an application program that detect and stop the anomaly on the basis of a behavior profile for an application program.
2. Discussion of Related Art
In recent years computer hackers have been exploiting vulnerabilities in application programs such as word processors, media players, etc. to obtain people's Internet banking information, security document information, etc. Such attacks usually exploit application program vulnerabilities to install and execute a malicious program such as a virus, spyware, trapdoor, backdoor, or the like with the authority of a normal application program process.
Anti-virus programs widely used in personal computers (PCs) employ a method of collecting and analyzing known malicious files and pattern matching an extracted signature with a file to be checked. Accordingly, anti-virus programs provide no protection against day-zero attacks using unknown malicious codes.
FIG. 1 is a block diagram showing an execution environment of a conventional signature-based anti-virus program.
Referring to FIG. 1, a conventional anti-virus program 110 detects a malicious code 130 on the basis of a malicious code pattern stored in a signature database 120, which is periodically updated by an update engine 140. However, since new malicious codes whose patterns have not been added to the signature database 120 by the update engine 140 are not detected, the anti-virus program 110 provides no protection against attacks using them, like a day-zero attack.
On the other hand, an anomaly detection-based security program detects an attack using a malicious code by monitoring log files, user activities, and system calls. Unlike the signature-based anti-virus program, the anomaly detection-based security program may detect a new type of attack, but since it detects an anomaly by the same criteria regardless of the purpose of an application program, it has a high false-positive rate. To decrease the false-positive rate, the conventional anomaly detection-based security program enables an allowed application program to perform an operation of process generation or network connection according to set criteria.
FIG. 2 is a flowchart showing an anomaly detection process of a conventional anomaly detection-based security program.
Referring to FIG. 2, the conventional anomaly detection-based security program classifies application programs installed on a computer as normal or suspicious according to criteria set by a user (201). When an application program is classified as normal, all behavior of the application program is allowed (202). When an application program is classified as suspicious, its behavior is analyzed and compared with a pre-stored attack pattern (203 and 204). When the behavior of the application program is identified as an attack, the attack is stopped (205).
As descried above, the conventional anomaly detection-based security program allows all behavior of an application program trusted by a user without behavior analysis in order to decrease the false-positive rate when all application programs are compared with attack patterns by the same criteria. Therefore, there is a problem in that the conventional anomaly detection-based security program may not detect behavior of a reliable application program as an anomaly even when program vulnerabilities are exploited causing the application program to install or execute a malicious program.